feat: accept registry-scoped certfile and keyfile as credentials

Closes npm#4765 RFC: npm/rfcs#591 While this doesn't directly allow top-level cert/key as credentials (per the original issue), it's a more targeted/secure approach that accomplishes the same end-result; the new options are scoped to a specific registry, and the actual cert/key contents are much less likely to be exposed. See the RFC for more context. Depends on: * npm/npm-registry-fetch#125 * npm/config#69
jenseng · Jul 12, 2022 · 1b0b9ea · 1b0b9ea
1 parent 45a9bde
commit 1b0b9ea
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 12 deletions.
diff --git a/lib/commands/publish.js b/lib/commands/publish.js
@@ -7,6 +7,7 @@ const runScript = require('@npmcli/run-script')
 const pacote = require('pacote')
 const npa = require('npm-package-arg')
 const npmFetch = require('npm-registry-fetch')
+const hasCredentials = require('../utils/has-credentials.js')
 const replaceInfo = require('../utils/replace-info.js')
 
 const otplease = require('../utils/otplease.js')
@@ -101,7 +102,7 @@ class Publish extends BaseCommand {
     const resolved = npa.resolve(manifest.name, manifest.version)
     const registry = npmFetch.pickRegistry(resolved, opts)
     const creds = this.npm.config.getCredentialsByURI(registry)
-    const noCreds = !creds.token && !creds.username
+    const noCreds = !hasCredentials(creds)
     const outputRegistry = replaceInfo(registry)
 
     if (noCreds) {

diff --git a/lib/utils/config/definitions.js b/lib/utils/config/definitions.js
@@ -436,8 +436,8 @@ define('cert', {
     cert="-----BEGIN CERTIFICATE-----\\nXXXX\\nXXXX\\n-----END CERTIFICATE-----"
     \`\`\`
 
-    It is _not_ the path to a certificate file (and there is no "certfile"
-    option).
+    It is _not_ the path to a certificate file, though you can set a registry-scoped
+    "certfile" path like "//other-registry.tld/:certfile=/path/to/cert.pem".
   `,
   flatten,
 })
@@ -1118,7 +1118,8 @@ define('key', {
     key="-----BEGIN PRIVATE KEY-----\\nXXXX\\nXXXX\\n-----END PRIVATE KEY-----"
     \`\`\`
 
-    It is _not_ the path to a key file (and there is no "keyfile" option).
+    It is _not_ the path to a key file, though you can set a registry-scoped
+    "keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".
   `,
   flatten,
 })

diff --git a/lib/utils/get-identity.js b/lib/utils/get-identity.js
@@ -1,4 +1,5 @@
 const npmFetch = require('npm-registry-fetch')
+const hasCredentials = require('./has-credentials.js')
 
 module.exports = async (npm, opts) => {
   const { registry } = opts
@@ -9,8 +10,8 @@ module.exports = async (npm, opts) => {
     return creds.username
   }
 
-  // No username, but we have a token; fetch the username from registry
-  if (creds.token) {
+  // No username, but we have other credentials; fetch the username from registry
+  if (hasCredentials(creds)) {
     const registryData = await npmFetch.json('/-/whoami', { ...opts })
     return registryData.username
   }

diff --git a/lib/utils/has-credentials.js b/lib/utils/has-credentials.js
@@ -0,0 +1,5 @@
+function hasCredentials (creds) {
+  return !!(creds.token || creds.username || creds.certfile && creds.keyfile)
+}
+
+module.exports = hasCredentials
diff --git a/tap-snapshots/test/lib/utils/config/definitions.js.test.cjs b/tap-snapshots/test/lib/utils/config/definitions.js.test.cjs
@@ -404,8 +404,9 @@ newlines replaced by the string "\\n". For example:
 cert="-----BEGIN CERTIFICATE-----\\nXXXX\\nXXXX\\n-----END CERTIFICATE-----"
 \`\`\`
 
-It is _not_ the path to a certificate file (and there is no "certfile"
-option).
+It is _not_ the path to a certificate file, though you can set a
+registry-scoped "certfile" path like
+"//other-registry.tld/:certfile=/path/to/cert.pem".
 `
 
 exports[`test/lib/utils/config/definitions.js TAP > config description for ci-name 1`] = `
@@ -1016,7 +1017,8 @@ format with newlines replaced by the string "\\n". For example:
 key="-----BEGIN PRIVATE KEY-----\\nXXXX\\nXXXX\\n-----END PRIVATE KEY-----"
 \`\`\`
 
-It is _not_ the path to a key file (and there is no "keyfile" option).
+It is _not_ the path to a key file, though you can set a registry-scoped
+"keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".
 `
 
 exports[`test/lib/utils/config/definitions.js TAP > config description for legacy-bundling 1`] = `

diff --git a/tap-snapshots/test/lib/utils/config/describe-all.js.test.cjs b/tap-snapshots/test/lib/utils/config/describe-all.js.test.cjs
@@ -230,8 +230,9 @@ newlines replaced by the string "\\n". For example:
 cert="-----BEGIN CERTIFICATE-----\\nXXXX\\nXXXX\\n-----END CERTIFICATE-----"
 \`\`\`
 
-It is _not_ the path to a certificate file (and there is no "certfile"
-option).
+It is _not_ the path to a certificate file, though you can set a
+registry-scoped "certfile" path like
+"//other-registry.tld/:certfile=/path/to/cert.pem".
 
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->
@@ -819,7 +820,8 @@ format with newlines replaced by the string "\\n". For example:
 key="-----BEGIN PRIVATE KEY-----\\nXXXX\\nXXXX\\n-----END PRIVATE KEY-----"
 \`\`\`
 
-It is _not_ the path to a key file (and there is no "keyfile" option).
+It is _not_ the path to a key file, though you can set a registry-scoped
+"keyfile" path like "//other-registry.tld/:keyfile=/path/to/key.pem".
 
 <!-- automatically generated, do not edit manually -->
 <!-- see lib/utils/config/definitions.js -->